Security of quantum key distribution using rf-level systems 
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We consider two quantum cryptographic schemes relying on encoding the key into qudits, i.e. 
quantum states in a d-dimensional Hilbert space. The first cryptosystem uses two mutually unbiased 
bases (thereby extending the BB84 scheme), while the second exploits all the d + 1 available such 
bases (extending the six-state protocol for qubits) . We derive the information gained by a potential 
eavesdropper applying a cloning-based individual attack, along with an upper bound on the error 
rate that ensures unconditional security against coherent attacks. 

PACS numbers: 03.67.Dd, 03.67.Hk, 89. 70. -he 



(N 



>: 
o. 

m ■ 

o. 
o 

:^^ 

Oh! 

^: 



% 



Quantum key distribution is probably one of the most 
promising concepts in quantum information theory, and 
has been extensively studied both theoretically and ex- 
perimentally since its discovery by Bennett and Brassard 
in 1984 [nl. This cryptographic method allows two re- 
mote parties to share a secret key by use of a quantum 
channel supplemented with a public authenticated clas- 
sical channel (see e.g. [g for a review). The impossibility 
for an eavesdropper to tap the quantum channel with- 
out disturbing the communicated quantum data - in a 
way that can, in principle, be detected using the classi- 
cal channel - ensures the security of the key distribution. 
Most of the research effort to date has focused on quan- 
tum cryptosystems based on two-dimensional quantum 
variables (qubits) carried e.g. by the polarization state 
of individual photons. In particular, the optimal individ- 
ual attack is now known both for the BB84 protocol (us- 
ing two mutually unbiased bases pi) and for the six-state 
protocol (using all three maximally unbiased bases ^Q ) . 
Strong bounds have also been derived in the more general 
case of coherent attacks, which are useful to assess the 
security of quantum cryptography (see e.g. [^-D). For 
higher-dimensional systems, however, very few results 
have been obtained on the resistance to eavesdropping 
of qudit-hased schemes (i.e., schemes based on encoding 
the key on d-level systems) . The only schemes that have 
been considered use either two bases for a ququat (4-level 
system) ^ or four bases for a qutrit |l^, but their se- 
curity was only investigated against simple non-optimal 
attacks. 

In this Letter, we investigate more general quantum 
cryptosystems where the encoding is made into qudits 
with arbitrary d, extending on an earlier study by some 
of us that only considered simple individual attacks [^ . 
A first protocol we study consists in using two mutu- 
ally unbiased bases, just as in the original BB84 scheme. 
The sender Alice sends a basis state in one of these two 
bases chosen at random, while the receiver Bob makes a 
measurement in one of these two bases, again at random. 



The basis used by each party is subsequently disclosed on 
the public channel, so that Alice and Bob obtain corre- 
lated d-ary random variables if they used the same bases 
(and if there was no disturbance on the channel) , which 
happens with probability 1/2. The use of mutually unbi- 
ased (or complementary) bases implies that if Alice and 
Bob use different bases, Bob's measurement yields a ran- 
dom number that is uncorrelated with Alice's state. The 
raw secret key is then made out of the correlated data 
(discarding the uncorrelated data is known as the sifting 
procedure). This procedures ensures that any attempt 
by an eavesdropper Eve (oblivious of the chosen basis) 
to gain information on Alice's state induces errors in the 
transmission, which can then be detected by the legiti- 
mate parties. The second qudit-based protocol that we 
study makes use of all the d -I- 1 mutually unbiased bases 
that are available in a d-dimensional Hilbert space, much 
in the same way as the six-state protocol for qubits. Here, 
Alice and Bob choose their basis at random among the 
d+1 possible bases. This method clearly has a lower yield 
than the first one since the sifting procedure only keeps 
one transmission out of d-l-l (instead of 1/2). However, as 
we shall see, this second protocol is more secure against 
individual attacks in the sense that a slightly higher error 
rate is acceptable. 

In what follows, we will analyze the security of these 
two cryptographic protocols against individual attacks 
(where the qudits are monitored separately) as well as 
coherent attacks (where several qudits are monitored 
jointly). For the individual case, we consider a fairly 
general class of eavesdropping attacks that are based on 
quantum cloning machines. It is known for qubits that 
such a cloning-based attack simply is the optimal eaves- 
dropping strategy, that is, the best Eve can do is to clone 
(imperfectly) Alice's qubit and keep a copy while send- 
ing the original to Bob. An appropriate measurement of 
the clone (and the ancilla system) after disclosure of the 
basis enables Eve to gain the maximum possible infor- 
mation on Alice's key bit. Extending this cloning-based 



individual attack to higher dimensions results in a lower 
bound on the information accessible to Eve for a given er- 
ror rate. Hence, this yields an upper bound on the error 
rate, which is a necessary condition for security against 
individual attacks. (Higher error rates do not permit 
to establish a secret key using one-way communication.) 
We conjecture that applying the optimal doner is actu- 
ally the best strategy for Eve in any dimension, so that 
this bound is actually tight. For the case of coherent at- 
tacks, we consider a situation where Eve interacts with a 
qudit sequence of arbitrary (but finite) length, and then 
uses the basis information to extract key information. 
In particular, we make use of an information-theoretic 
uncertainty principle to derive a lower bound on Bob's 
information, or, equivalently, an upper bound on the er- 
ror rate. It is a sufficient condition for the protocol to 
be guaranteed to generate a nonzero net key rate for all 
attacks. 

Let us consider first an individual eavesdropping based 
on the use of a quantum cloning machine for qudits. The 
particular cloning machine that is best using depends on 
whether the protocol uses two bases or d -I- 1 bases. We 
focus on the case of two bases first, for which we need 
to use a doner that copies equally well two mutually un- 
biased bases, e.g. the computational basis {|fc)}, with 
/c = 0, • • • , d — 1, and its dual under a Fourier transform 
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with ^ = 0,---,(i— 1. We use a general class of cloning 
transformations as defined in ||l2] . If Alice sends the state 
If/;), the transformation reads 
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where A, B, E, and E' stand for Alice's qudit, Bob's 
clone, Eve's clone and cloning machine, respectively. 
Here, the amplitudes am,n (with I]mTn=o 1"™."!^ = 1) 
characterize the doner, while the states \Bm^n) ee' sue d- 
dimensional Bell states, that is, a set of d^ orthonormal 
maximally- entangled states of two qudits, 
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with ni,n = 0, • • • , d — 1. Note that the kets must be 
taken modulo d here. The operators Um.,n defined as 
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form a group of qudit error operators, generalizing the 
Pauli matrices for qubits: m labels the shift errors (ex- 
tending the bit flip a^) while n labels the phase errors 
(extending the phase flip a^). Tracing the output joint 



state given by Eq. (g) over EE' implies that Alice's state 
\iP)a is transformed, at Bob's station, into the mixture 
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Thus, the state undergoes a Um.n error with probabil- 



ity |a„ 



Note that Uo,o — 1, implying that the state 



is left unchanged with probabihty |ao,oP- If Alice sends 
any state \k) in the computational basis, the phase errors 
(n 7^ 0) clearly do not play any role in the above mixture 
since Um,n\k) = e2'^*('="/'')|fc -I- to), so Bob's fidelity can 
be expressed as 
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In the complementary basis, we have Um,n\l) = 
^-2^i{i+n)m/d \i + n), SO the shift errors (to ^ 0) do not 
play any role and Bob's fidelity becomes 
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For the doner to copy equally well the states of both 
bases, we choose a d x d amplitude matrix of the form 
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with X, y, and v being real variables satisfying the nor- 
maUzation condition v^ + 2{d — l)x'^ + (rf — l)^y^ — 1. 
Thus, Bob's fidelity is F = v"^ + {d — l)x^ in both bases, 
and the corresponding mutual information between Al- 
ice and Bob (if the latter measures his clone in the good 
basis) is given by 



Iab = fog2 d + F fog2 F+{l-F) fog2 
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since the d — 1 possible errors are equiprobable. 

Now, the clone kept by Eve can be shown to be in a 
state given by an expression similar to Eq. (ph but with 
the amplitudes am,n replaced by 
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's (l]]. This 



corresponds to a matrix similar to Eq. (ra) but with 
X -^ x' :^[v + {d- 2)x + (1 - d)y]/d 



y —>■ y' = {v — 2x + y)/d 

V ^ v' = [v + 2{d-l)x + {d- 
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resulting in a cloning fidelity for Eve given by Fe — 
v'"^ + {d— l)x'^ . Maximizing Eve's fidelity Fe for a given 



value of Bob's fidelity F (using the normalization rela- 
tion) yields the optimal doner: 
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The corresponding optimal fidelity for Eve is 
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Let us see how Eve can maximize her information on Al- 
ice's state. If Alice sends the state |fc), then it is clear 
from Eq. (0) that Eve can obtain Bob's error ra simply by 
performing a partial Bell measurement (measuring only 
the m index) on EE' . Then, it appears from Eqs. (^ and 
(O) that, in order to infer Alice's state. Eve must dis- 
tinguish between d non-orthogonal states (corresponding 
to all possible values of k) with a same scalar product 
{dF — l)/(d — 1) for all pairs of states, regardless the 
measured value of m. Consequently, Eve's information 
Iae is simply given by the same expression as Eq. (Q) 
but replacing F by Fe- As a result, Bob's and Eve's 
information curves intersect exactly where the fidelities 
coincide, that is, at 
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We now use a theorem due to Csiszar and Korner [n3| , 
which provides a lower bound on the secret key rate, that 
is, the rate R at which Alice and Bob can generate se- 
cret key bits via privacy amplification: if Alice, Bob and 
Eve share many independent realizations of a probabil- 
ity distribution p(a, 6, e), then there exists a protocol that 
generates a number of key bits per realization satisfying 



R > max(/^B - Iae, Iab - I be) 



(15) 



It is therefore sufficient that Iab > Iae in order to 
establish a secret key with a non-zero rate. If we re- 
strict ourselves to one-way communication on the clas- 
sical channel, this actually is also a necessary condition. 
Consequently, the quantum cryptographic protocol above 
ceases to generate secret key bits precisely at the point 
where Eve's information attains Bob's information. In 
Table |, we have computed the disturbance D — 1 — F 
(or error rate) at which Iab = Iae (or F = Fe), that is, 
above which Alice and Bob cannot distill a secret key any 
more by use of one-way privacy amplification protocols. 
Strictly speaking, since we only conjectured here that the 
cloning-based attack is optimal for all d, D™'^ is actually 
an upper bound on D that must necessarily be satisfied 
to generate secret key bits with one-way protocols. (A 
tighter upper bound on D might exist if the optimal in- 
dividual attack was not cloning, but we conjecture this 
is not the case). Interestingly, we note that D increases 
with the dimension d, suggesting that a cryptosystem 
based on qudits is more secure for large d. 



Now, we consider the second protocol where all d -I- 1 
bases are used. The doner that must be used then is 
an asymmetric universal doner |I2] , characterized by an 
amplitude matrix of the same form as (H) but with x = y, 
the normalization relation becoming v + {d^ — l)x'^ = 1. 
Here, Bob's fidelity is given hy F — v'^ + {d — \)x^ — 
1 — d{d — l)a;^, so that the doner is characterized by 
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As before, Bob's information is given by Eq. (ph. Eve's 
clone is characterized by a matrix of the same form, with 



x' — (v — x)/d 



[V + (rf2 - l)x]/d 
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so the corresponding fidelity is Fe = v''^ -\- {d— l)x'^ = 
1 — d(d — l)x'^ . For deriving Eve's information, we need 
first to rewrite the cloning transformation as 
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After the basis is disclosed. Eve's strategy is first to mea- 
sure both E and E' , the difference (modulo d) of the 
outcomes simply giving Bob's error m. Making use of 
V — X = x'd and expressing x and x' as functions of F 
and Fe, it is easy to check that the best Eve can do then 
is to use the state of her clone E as an estimate of Alice's 
state |fc). If Bob makes no error (m = 0), which hap- 
pens with probability F, then it yields the correct value 
of k with probability {F + Fe — i)/F, while it yields any 
other of the d ~ 1 possibilities I ^ k with probability 
(1 — FE)/[{d — 1)F]. In contrast, if Bob makes an error 
{m ^ 0), then Eve obtains the right k with probability 
one. Consequently, the average mutual information be- 
tween Alice and Eve conditionally on Bob's error rn can 
be written as 



Iae = log2 d+{F + FE-l) log2 
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One can check that, for a given F, Iae is slightly lower 
here than for the 2-bases protocol, which is consistent 
with the stronger requirement that we put on the doner. 
Therefore, the fidelity F at which Iab — Iae is slightly 
lower, and the corresponding disturbance D ~ 1 — F 
is slightly higher. In Table ||, we have shown the cor- 
responding upper bound D™^-^ for several values of d, 
illustrating that there is a slight advantage in using all 
d+\ bases, as for the 6-state protocol for qubits 0,^- 

Our last result concerns the most general eavesdrop- 
ping strategy which consists in applying a coherent at- 
tack on a sequence of qudits of arbitrary (but finite) size 



n. Actually, our reasoning is simpler to state with a sin- 
gle qudit, but it remains valid for qudit sequences. We 
use an uncertainty principle due to Hall jlj] that puts a 
limit on the sum of Bob's and Eve's information: if B 
and E are Bob's and Eve's observables applied on the 
qudit sent by Alice, then 



Iab + Iae < 2 log2 
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where \bi) and \ej) are the eigenstates oi B and E, respec- 
tively. Since Eve has no way of guessing the basis used by 
Alice, her optimal information is the same for the correct 
and incorrect bases. Thus, one can bound Iae by assum- 
ing that Eve measures an observable E complementary 
to B (i.e. |(6,|e,)|=d-i/2,V*,j) §: 
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Using the discussion following Eq. (IT^ , we conclude that 
Iab > ^og2{d)/2 is a sufficient condition to warrant se- 
curity against coherent attacks if the key is made out 
of a large number of independent realizations of n-qudit 
sequences (i.e., if the key is much longer than n). Us- 
ing Eq. (p), this translates into a lower bound on F, or, 
equivalently, an upper bound on D 
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which guarantees that one can distill secret key bits. This 
bound for coherent attacks, shown in Tabled, exactly co- 
incides with the well-known 11% bound on the error rate 
for d = 2 due to Mayers !§. 

In summary, we have extended standard quantum 
cryptography to protocols where the key is carried by 
quantum states in a space of arbitrary dimension d. We 
have used a general model of quantum cloning |12| ] in 
order to calculate the information accessible to an eaves- 
dropper monitoring the qudits individually. This pro- 
vides an upper bound on the error rate above which the 
legitimate parties cannot distill a secret key by use of one- 
way privacy amplification protocols (since Iab < Iae)- 
We conjectured that this bound is tight (i.e., applying 
the optimal doner is the best strategy for Eve to gain 
the maximum information). Our analysis also suggested 
that the 2-bases protocol should be preferred to a {d+ 1)- 
bases one since its maximum acceptable error rate is only 
slightly lower, while the corresponding secret key rate is 
much larger. Finally, we have derived a very simple se- 
curity proof of quantum cryptography with qudits that 
exploits an intuitive information inequality constraining 
the simultaneous measurement of conjugate observables 
p4| . This results in an upper bound on the acceptable 
error rate that is more restrictive than the previous one, 
but guarantees that a non-zero secret key rate can always 
be produced (even with coherent attacks on sequences of 
finite length). In the region between these two bounds, 
it is unknown whether the security is guaranteed or not. 



It should be stressed that all the bounds on D discussed 
above tend to 1/2 for d -^ cxd, reflecting the advantage 
of using higher-dimensional spaces. However, practical 
limitations might be more severe in realistic qudit-based 
cryptosystems, in particular the influence of the detec- 
tor's quantum efficiency and dark count rate. This is 
discussed in a related paper fls] . 

Note: After completion of this work, it was proven in 
an independent paper ||l6|] that the optimal individual 
attack for qutrits (d = 3) when using all four mutually 
unbiased bases exactly coincides with our results based 
on the optimal cloning machine, as conjectured here. 
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15.64 
22.67 
26.66 
29.23 
34.97 



11.00 
15.95 
18.93 
20.99 
26.21 



TABLE I. Disturbance D = 1 — F (or error rate) as a func- 
tion of the dimension d. The columns D^^'^ and D]^^i display 
the values of D at which Iab ~ Iae for a cloning-based in- 
dividual attack with the 2-bases or {d + l)-bases protocol, 
respectively. The last column ]J''°^ corresponds to an upper 
bound on D that guarantees security against coherent attacks. 



